W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: referrer directive expressiveness

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Feb 2014 15:05:16 +0100
Message-ID: <CADnb78gAe3yhp7uP3tXP79JtM4dMMC0D1cqa_vq8ykN9vmFJug@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: David Bruant <bruant.d@gmail.com>, Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brian Smith <brian@briansmith.org>
On Mon, Feb 10, 2014 at 1:40 PM, Mike West <mkwst@google.com> wrote:
> Hrm. I can see that. "none-when-insecure" was meant to refer to the
> transport mechanism only, but I agree with you that it's potentially
> confusing.

I think another problem is also that this value basically means a full
Referer header, unless you go from https to http. So in an insecure
context, such HTTP without TLS, you would not use none, but full.

"url-unless-downgrade" might make more sense given that description?

Another nit, just "origin" (rather than "origin-always") and
"unsafe-url" to align with "none". Or "none-always", but shorter seems

> My only concern with "default" is that it might end up meaning
> different things to different browsers (see
> https://groups.google.com/d/msg/mozilla.dev.privacy/wmPzPCdzIU8/KGJ401Dj9lYJ
> for example). It would be nice to have a name that reflected explicit
> functionality as opposed to implicitly falling back on UA behavior. I don't
> have a good suggestion other than what I've already suggested. I'd
> appreciate suggestions from the group...

When we talked about this at Mozilla Brian at least wanted to be able
to experiment with exposing less than done currently. I haven't really
made up my mind personally as to whether that would make privacy
better, but it does seem like something that the user should have
control over and a browser should be able to have a conservative
policy for.

Received on Monday, 10 February 2014 14:05:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC